Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple cookies with same name are not supported #3433

Closed
jerseyrobot opened this issue Sep 4, 2016 · 7 comments
Closed

Multiple cookies with same name are not supported #3433

jerseyrobot opened this issue Sep 4, 2016 · 7 comments
Labels
Component: core Priority: Major Type: Bug

Comments

@jerseyrobot
Copy link
Contributor

It's possible to have multiple cookies with the same name in the cookie header (e.g. cookies in subdomains/subpaths). So, the following is a valid header:
Cookie:"token=val1; token=val2".

However, org.glassfish.jersey.server.ContainerRequest.getCookies returns a Map<String, Cookie>, indicating that it returns only one cookie per name. It calls HttpRequestHeader.readCookies which in turn calls CookieParser.parseCookies. The implementation of parseCookies makes it clear that for multiple cookies with the same name, the last one is returned in the map.

Environment

Server

Affected Versions

[2.22]
@jerseyrobot
Copy link
Contributor Author

@glassfishrobot Commented
Reported by sshukla

@jerseyrobot
Copy link
Contributor Author

@glassfishrobot Commented
This issue was imported from java.net JIRA JERSEY-3161

@jerseyrobot
Copy link
Contributor Author

@glitchcube
Copy link

Hi,
I have recently got the same issue. The problem occurred when we used Springs CSRF-protection. Spring security sends two cookies with the name XSRF-TOKEN in the set-cookies. One with Expires/Max-age set to 0 and the other one with Expire/Max-age set to Session.

All major browsers seems to always pick the cookie with Expire/Max-age set to Session. But when I try to use the method below it returnes the cookies which has expired.

org.glassfish.jersey.client.InboundJaxrsResponse#getCookies

@jansupol
Copy link
Contributor

jansupol commented Feb 4, 2020

RFC 6265 Section 5.4 defines that:

The user agent SHOULD sort the cookie-list in the following
order:

  *  Cookies with longer paths are listed before cookies with
     shorter paths.

  *  Among cookies that have equal-length path fields, cookies with
     earlier creation-times are listed before cookies with later
     creation-times.

SHOULD is not MUST, so technically not a bug. But I agree Jersey SHOULD do what is recommended.

@jansupol
Copy link
Contributor

jansupol commented Feb 5, 2020

ContainerRequest.getCookies() inherits from HttpHeaders.getCookies, so we cannot change the return type to return multiple cookies with the same name.

@glitchcube
Copy link

You got a really good point, @jansupol. If we could have sorted the cookies in the recommended order, this should solve the problem.
Is this something that can be done?

Thanks for the fast feedback!

jansupol pushed a commit to jansupol/jersey that referenced this issue Mar 23, 2020
@tvallin @jansupol
Fix eclipse-ee4j#3433 - Multiple cookies with same name are not suppo…
a2075e1 
…rted

Signed-off-by: tvallin <thibault.vallin@oracle.com>
(cherry picked from commit e5af7d6)
@chilloutman chilloutman mentioned this issue Apr 19, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: core Priority: Major Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jerseyrobot @glitchcube @jansupol